6/29/2010 @ 6:00AM

The Truth About Einstein

Richard Stiennon suggested in his recent Forbes post that the U.S. Department of Homeland Security (DHS) is relying on the wrong tools to protect government systems with its deployment of Einstein.

Einstein is the program that puts intrusion detection systems at the gateways that provide U.S. government agencies their Internet service. A future version, Einstein 3, will add additional capability by providing Intrusion Prevention Systems the ability to do full, deep packet inspection and “threat-based decision making” on network traffic, according to the White House. This means the ability to identify malicious traffic entering U.S. government networks on the fly and shut it off.

All intrusion detection approaches require signatures of malicious traffic, allowing the system to search traffic flows for those malicious code configurations. This means that one must know what to look for. The advantage of Einstein 3 is that it connects to intelligence sources to provide better insight as to what to look for–a richer list of signatures. The White House recently stated that, “DHS will be able to adapt threat signatures determined by NSA in the course of its foreign intelligence and DoD information assurance missions for use in the EINSTEIN 3 system in support of DHS’s federal system security mission.”

At the end of the day, however, one is still searching for signatures identified a priori as malicious. This is useful, since it weeds much malicious traffic out of the Internet flows to government agencies. But it approaches the problem from a risk avoidance mindset–set up the wall and assume that you are largely secure.

Better security comes, however, from a risk-management approach, namely Enterprise Threat and Risk Management, in which one assumes the adversary will get in. The key to this approach is a powerful correlation engine. Stiennon mentions Security Information and Event Management products, such as the one from
ArcSight
, in his post, but he largely overlooks the importance of correlation.

Each action–good or bad–in a complex network leaves a footprint or fingerprint. Correlations are drawn among the myriad fingerprints, and these are measured against the network protection policies of the enterprise, as well as against features in code known to be malicious. A correlation engine can successfully locate these signs of malicious action even without the aid of a priori signatures, and it does so in real time across hundreds of millions of events per day. Normal–acceptable and healthy–transactions do not violate policy; abnormal or malicious actions do violate policy and need to be identified, investigated and shut down.

In sum, the intrusion detection and prevention capabilities that homeland security is installing with Einstein will provide benefit in cleaning malicious traffic out of the Internet flows to government agencies. They do not, however, identify all the other kinds of attacks that will still slip into an enterprise; the Maginot line will leak.

The only way to identify these is to use deep correlation measured against the security policies of the enterprise. Thus, the major shortcoming is not with Einstein. It is the fact that much of the protection of an enterprise must take place within the enterprise, detailed review of IT processes, identity and access management controls, and software baseline controls–all measured against carefully crafted security policies, connected to real-time response.

Until U.S. government agencies adopt this risk management approach, develop and implement the required policies, and use the kind of deep correlation tools that allow them to locate malicious action, they will continue to see intrusions succeed. The real shortcoming in the homeland security process is the failure to mandate this kind of deep integration of policy with advanced correlation systems, which is the essence of Enterprise Threat and Risk Management.

Dr. Prescott B. Winter is CTO, Public Sector for ArcSight. He was most recently Associate Deputy Director of National Intelligence for Information Integration for the National Security Agency and previously served as CIO and CTO of the NSA.